wordpress blog stats
Connect with us

Hi, what are you looking for?

A new day, a new WhatsApp vulnerability, this time via an MP4 file

WhatsApp vulnerability

It appears that there is no end in sight to WhatsApp’s security troubles. A fortnight after it sued the Israeli spyware firm NSO Group for exploiting a VoIP call vulnerability to plant its most sophisticated spyware Pegasus in victims’ phones, Facebook, its parent company, issued an advisory on November 14 warning users that “a specially crafted MP4 file” could do much the same.

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. [Facebook Advisory]

What does this vulnerability allow you to do? Through this vulnerability (CVE-2019-11931), a malicious actor can send a specially crafted MP4 file through WhatsApp, which could then be used to remotely execute a code on your device (RCE) or prohibit you from accessing the service (DoS). It is not immediately clear if this remote code means that sophisticated spyware, such as Pegasus, could also be installed.

How dangerous was this vulnerability? As per VulDB (Vulnerability Database), a website that tracks all security vulnerabilities in electronic products, the current exploit price for this vulnerability is $5,000-$25,000. Higher amount indicates greater interest among vulnerability brokers. Its Cyber Threat Intelligence (CTI) score is 5.63, indicating that there is moderate to high level of risk that this vulnerability could be exploited. In contrast, the 0-day price of the May 2019 vulnerability was around $25,000-$100,000.

Is there a solution? As per the advisory, upgrading to the latest version is enough. 

Does the Indian government know about it? The Indian Computer Emergency Response Team (CERT-In) issued a vulnerability note on November 16 about this and gave it a “HIGH” severity rating. Since the language used to describe the vulnerability is different from the one used in the Facebook advisory, or on the American National Vulnerability Database, one can conclude that this vulnerability was actively processed by a human agent at CERT-In, thereby suggesting that there is an active recognition of the vulnerability by the government.

Advertisement. Scroll to continue reading.
  • The direct URL link for the advisory is not visible in the address bar and has to be retrieved from the source code of the web page, nor can text from the link be directly copy-pasted. We have archived a copy of it here and have reached out to CERT-In for comment.

CERT-In WhatsApp

WhatsApp vulnerabilities have a history of mysteriously disappearing from the CERT-In website. After IT Minister Ravi Shankar Prasad’s statement on October 31 suggested that the government was not informed about the May 2019 vulnerability, the CERT-In report (dated May 17, 2019) was cited during a TV debate on October 31 to highlight that the government indeed was informed. This report, however, was mysteriously pulled down on November 1 and restored on November 2. Fortunately, people had archived a copy of it (available here).

What does WhatsApp say? A WhatsApp spokesperson told MediaNama, “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.” Unlike their response after the Pegasus exploit, where they had said that select users were targeted by an advanced cyberactor; this time, they don’t think users have been affected. However, WhatsApp did not answer our following questions:

  • When was the vulnerability discovered by WhatsApp? When was it fixed?
  • How long was the vulnerability active?

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ